Eastern European Cybercrime Network Taken Down

WASHINGTON --The list of victims runs the gamut. A small-town Texas church. A Washington, D.C., law firm. A nonprofit organization in Illinois that works with disabled children.

They are among the tens of thousands of businesses and other organizations in North America and Europe that were targeted by an Eastern European cybercrime syndicate in recent years.

The 11 cybercriminals behind the scheme, U.S. and European law enforcement officials announced Thursday, infected more than 41,000 computers with a malware program known as GozNym in an attempt to steal more than $100 million from their bank accounts.

Prosecutors described the network as a "highly structured" online organized crime network, with each member assigned a special role.

The cybercriminals

Alexander Konovolov oversaw the operation. The 35-year-old Georgian national assembled his team of cybercriminals through underground Russian language criminal forums.

Russian computer programmer Vladimir Gorin was the brains behind GozNym. Four other Russians served in other roles.

A Bulgarian "casher" was tasked with using login credentials captured by GozNym to illegally transfer funds from the victims bank accounts into accounts controlled by the network.

And Ukrainian Gennady Kapkanov, 36, was an administrator of the Avalanche network, a platform that hosted more than 20 malware campaigns, including GozNym, before it was taken down in late 2016.

Phishing attack

To gain control of their victims computers, the conspirators turned to what is still the most common form of a cyber intrusion: sending "phishing" emails to unsuspecting employees.

In a phishing attack, a legitimate-looking business email is sent to a company employee with instructions to open a link. Once opened, the link deploys malware such as GozNym, giving the perpetrator access to the information stored on the victims computer.

In many GozNym cases, the emails sent to the victims appeared to contain bills or invoices.

In the case of the Washington, D.C., law firm, on Feb. 16, 2016, the conspirators allegedly sent an email to an employee from "Quicken Billpay-center." The employee clicked on the link included in the email, allowing GozNym to be installed on the firms computer network.

With GozNym capturing the firms banking credentials, things were set in motion.

On Feb. 25, Konovolov, the Georgian ringleader, and Krasimir Nikolov, the Bulgarian "casher" exchanged details of a Massachusetts-registered bank account where they intended to transfer the stolen funds.

That same day, Nikolov, using the law firms stolen banking credentials, attempted to transfer $97,520 from the firms Bank of America account into the account the network controlled in Massachusetts. The transaction resulted in a loss of more than $76,000, prosecutors said.

Pennsylvania indictments

The 11 conspirators were named in a criminal indictment unsealed by prosecutors in the Western District of Pennsylvania, where some of the victims are located. The FBIs Pittsburgh Field Office, which leads many of the bureaus high profile cybercrime investigations, began looking into GozNym two years ago.

The five Russians named in the indictment remain at large. But the six others are in custody in the U.S., Georgia, Moldova and Ukraine.

Nikolov, the Bulgarian "account takeover specialist," was arrested by Bulgarian authorities and extradited to the United States in 2016.

Five others are from Georgia, Kazakhstan, Moldova and Ukraine, countries with which the United States doesnt have extradition treaties. To ensure theyre prosecuted in their home countries, U.S. officials said they shared evidence with prosecutors in Georgia, Ukraine and Moldova.

New era of fighting cybercrime

This was something the U.S. had never done before, said Scott W. Brady, U.S. Attorney for the Western District of Pennsylvania.

"International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership," Brady said at a press conference at The Hague. "The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime."

The development marks the latest takedown of an organized crime network operating on the internet.

"This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime," said FBI Pittsburgh Special Agent in Charge Robert Jones.